Microsegmentation is one of the hottest buzzwords in an industry full of them. It has undoubtedly appeared as a bullet point on countless board slides while CEOs briefly talk up “Our Bleeding Edge Security Practices.” Regardless of how useful it may or may not be in achieving that goal, this is one word that deserves the buzz.
Over time, workloads have moved from bare-metal to virtualized to cloud, with traffic patterns changing right alongside them. Security has obviously had to adapt to these changes.
With legacy client-server applications, traffic was primarily north-south, flowing in and out of servers in a data center. Hardware firewalls were perfect for security, as you really only needed to protect the perimeter of that data center from breach. Workloads were secured in much the same way a wall secured the inhabitants of a Medieval city from invasion, if that city also had some sort of load balancer thrown in to shunt traffic off to various gates and ensure no single area was ever too crowded.
This stopped being sufficient once server virtualization and modern applications took hold. East-west traffic between servers began to dominate and now also needed protection. You couldn’t just wall off the data center and keep an eye on what was coming and going through that wall, you now needed to watch over traffic that was passing between individual servers (and even between individual virtual machines on the same server) to ensure any attacker who managed to break through the perimeter couldn’t then run amuck. Solutions such as adding security capabilities to edge switches and even within hypervisors were introduced to deal with this problem.
Now with workloads moving beyond virtualization and into public and private clouds where there are no clear boundaries to secure and traffic patterns are even more granular, these network based firewalls are themselves no longer sufficient. Hence microsegmentation.
Microsegmentation allows both for more flexible and precise security policies that can be assigned all the way down to the workload level. Such fine-grained controls ensure attackers face fewer potential weaknesses to exploit, even as the theoretical number of possible points of attack increase. As Matthew Pascucci of Frontline Sentinel wrote on our blog last year:
“With microsegmentation you’re not only able to segment a network, but you’re able to segment within a segment of your network down to individual system level – think of it like an Inception version of segmentation. Here an administrator can logically carve the network to control the traffic and assets within these smaller boundaries.”
Cisco and VMware are two large companies that, alongside CloudPassage, have placed a huge focus on microsegmentation solutions. As you might expect from Cisco, their solution requires new hardware that needs to be installed and managed to fully implement a microsegmentation solution. As you might expect from VMware, their solution requires new software that must also be installed and managed. Both of these solutions are expensive and require major reworking of the data center infrastructure. It is probably also clear that these solutions are geared to private data centers and not the public cloud, and that neither works in hybrid or multi-cloud environments, not even with each other.
The quality of their services aside, these two limitations are notable, since the security risks microsegmentation tackles are all the more pronounced in hybrid and multi-cloud environments. The only method that works in these environments is a firewall solution that runs on the workload itself based on the built-in firewall provided by the OS. This ensures that the firewall function is available at the most granular level needed, the workload.
One of the most difficult parts of running a host-based firewall across thousands of workloads is the complex configuration and management required. Especially, across multiple operating systems. CloudPassage Halo simplifies this process and can orchestrate firewalls across all environments from a single pane of glass. Workloads in cloud environments also tend to be dynamic with frequent IP address changes. CloudPassage Halo handles this situation with aplomb requiring no manual intervention. That we would provide a great solution to problems brought up by this post is probably not all that surprising since you’re reading our blog, but it remains true all the same.